As I assume this file will be used to check that the files which come with the package have not been corrupted somehow. Since the file is called `/DEBIAN/md5sums" I assume the hexnumber before the path+filename is the MD5 Message-Digest Algorithm Hash of the package's files.

Now everybody interested knows that the MD5 Hash has been broken already long time ago. Therefore it is totally possible to change the content of a file in the package (e.g maliciously) and still have the file having the same MD5-Hash (see for instance Prove of concept "Predicting the winner....").

Question

Bearing in mind the information above I want to know the following:

*Assuming I install a package in my Ubuntu system. Is the DEBIAN/md5sums the only means to make sure the data has not been tampered with? *

Answering the question I think it could help to figure out the following:

Are the deb packages as a whole also hashed(Hashvalues made for) so that there is another way to make safe the files received are "safe"/"untampered"

If there are other ways then the DEBIAN/md5sums file to ensure integrity, what is the file included in the *.deb packages anyhow?

Does Ubuntu use hashes for repository/package-system that are "less broken" than SHA-1 and MD5?

which unfortunately I do not know either.

Any reponse which can shed light on the question (or even only a subquestion) is very welcome

update

(1)
https://help.ubuntu.com/community/Repositories/Ubuntu#Authentication_Tab seems to indicate that there is (as I hoped for) some public/private gpg key going on (to keep the repos and package systems) safe from attacks. The information at the linked location is not very much though. It tells almost nothing about the security aspect of the Package-system. Anyhow I assume the link already indicates that the answer for the question will be "NO -at least the deb packages from the repo - are also secured by .... ". Hope somebody has some insights to use for an answer here.

@chronitis thanks for the link there. Indeed the SHA-* hashes are mentioined there I still have to figure out how they appear in the packages (which I did not see yet) or the packages system.Do you know more? Well the indication is already a good step
–
humanityANDpeaceJan 10 '13 at 14:33

3 Answers
3

Ubuntu publishes a manifest that is signed with an RSA key. The manifest lists individual Packages index files, each with MD5, SHA-1 and SHA-256 hashes. Each Packages file lists individual .deb files with MD5, SHA-1 and SHA-256 hashes.

For verification, apt uses the best hash that it supports and is published by the archive it is downloading from. In the case of the Ubuntu archive, this is SHA-256.

So the entire chain of installing packages on your Ubuntu system is protected by RSA and SHA-256.

The MD5 protection that exists in dpkg is really only useful for accidental corruption, and not necessary to protect the installation path.

You might be interested in the debsums package, but since it uses MD5s, it also is only useful for checking for accidental corruption.

If you want to check for malicious system modification, then these are not the appropriate tools for you. You will need to take the system offline and check against either a previous record, the original package files, or secure hashes generated from these.

Note that since a successful malicious modification might be to simply downgrade a package to the one prior to a security update, checking that all installed package files match against their originals may not be sufficient either.

I have gained some clearer insight. Where did you get all this information, which I have such a dificulty in finding? Do you have some docus/links you used? Also I appreciate the mentioning of the "downgrade-danger" you mentioned, so I do not yet understand how excatly this might be exploited. Great! thank you
–
humanityANDpeaceJan 10 '13 at 14:50

I don't believe that the apt repository format is properly specified or documented anywhere. This is bad, but it is how it is. The best (and to my knowledge only) true documentation is the source. I know the details because I've worked in the source. On the other hand, the dpkg format is very well specified in Debian policy. It covers what happens after packages end up on your system, but not how they get there. The latter part is done by apt.
–
Robie BasakJan 11 '13 at 9:34

Downgrade risk: this is an aside and isn't really directly connected to your original question. If exploit X is discovered in version A, you get a security update to version B, where the vulnerability is fixed. If an attacker can exploit X in version A then you are safe, since you upgraded to B. But if the attacker can also downgrade you to A, then you are vulnerable again. You won't notice this even if all your secure hashes match the packages you have installed, since your package database will say that you are supposed to have A installed and not B.
–
Robie BasakJan 11 '13 at 9:35

1

@RobieBasak "I don't believe that the apt repository format is properly specified or documented anywhere." Obviously this is not true. You just have to look for it. Debian Wiki: RepositoryFormat
–
gertvdijkJan 11 '13 at 21:52

I wanted this to be a comment, but I couldn't fit it in the box so I'm placing it here.

Yes, md5 has been broken cryptologically, but that doesn't mean it's a bad general purpose hashing algorithm. Modifying a file so it has the same hash is incredibly difficult, and doing so with a particular malicious change is nigh on impossible. From looking at the example you referenced, (Predicting The Winner) see this:

"The documents were first carefully prepared as valid PDF documents, with a hidden image object incorporated, containing a sufficient amount of random bits. Then, according to the diamond structure shown above, eleven chosen-prefix collisions were computed, and placed inside the hidden image objects at precisely the proper spots. In this way the twelve documents were turned into an MD5 multi-collision."

What was done was filling the files with random data to make the hashes match. The technology isn't anywhere near capable of adding particular malicious code to a file and having the hashes line up without breaking it or making it obvious that the file has been changed (I don't know if apt does, but many file hashes are accompanied by their file sizes to increase the difficulty of an undetectable hash collision).

thank you for the answer. I think it is a good reply, in the sense that it gives more light to the whole background :) Unfortunatelly "Stack...Ask Ubuntu" is sometimes hard with "strictly reply to the question only" and so its great you took courage to elaborate on the topic.
–
humanityANDpeaceJan 10 '13 at 14:41

The prepared PDf files have random data and are only 104kb with all this effort. Why would you say this is impossible then? There must be tons of files in deb packages being >200kb where it must be possible to do such a thing. I feel not so safe after having seen the proof of concept , that amazed and shocked me
–
humanityANDpeaceJan 10 '13 at 14:42

There are lots of places in legitimate files where a subtle change would not appear odd, for example minor whitespace differences in a text file. You only need to find around 128 of these places to have sufficient scope to create a malicious file that both appears legitimate and also matches your desired target MD5. I'm not sure whether this particular attack could be applied to this situation though.
–
Robie BasakJan 10 '13 at 14:50

@RobieBasak, you misunderstand the attack. You can not just go change 128 bytes in a file and preserve the md5sum. You have to insert a chunk of what otherwise appears to be two sets of random data into two copies of a file, and they will have the same md5sum as one another, despite the fact that the two chunks of "random" data are different.
–
psusiJan 10 '13 at 15:40

md5 was not "broken". What they found was a way to carefully craft an original message, and a modified message that had the same hash. It is not possible to take an original message not specially crafted for the purpose of tampering with ( the correct file ), and modify it in such a way as to preserve its md5sum.

ok. But what would be the good way to refer to the current state of MD5 security now, if not "broken"? I can understand what you say and I thanks for pointing that out. I still wonder how to evaluate the current safety by MD5 etc.
–
humanityANDpeaceJan 10 '13 at 14:53

I like the optimistic attitude. I was still amazed by the proof of concept afterall. thanks!
–
humanityANDpeaceJan 10 '13 at 14:54

1

"Crypto experts consider MD5 broken. Therefore it should be considered broken." that's not the way the world works @RobieBasak As a crypto enthousist (cant call myself an "expert" but I had to dig into it a few years back) myself I would not state MD5 is broken. Merely that there is an interesting case worth checking out but it seems theoratical atm. But it won't break Ubuntu's packaging ;) Back to 0 psusi ;)
–
RinzwindJan 10 '13 at 15:50

1

@jackweirdy, actually, there is, and that's why they didn't do that. Their method relies on both sets of data having very specific properties. It is much like a public keypair. You can generate a pair of keys that match each other, but given only one, you can not figure out the other.
–
psusiJan 11 '13 at 1:54